I was on http://winds.jpl.nasa.gov/imagesAnim/quikscat.cfm when I found this:
http://winds.jpl.nasa.gov/imagesAnim/images.cfm?pageName=ImagesAnim&subPageName=QuikSCAT&Image=QS_S1B28865%22%3E%3Cscript%3Ealert%28/XSS/%29%3C/script%3E
OMG! NASA? Yep... Even when you assume security is a must @ sites like NASA, there are (some) insecurities! As you can see Image was not sanitized (as it should have been! :)
I did some more tests on another NASA site (http://sbir.gsfc.nasa.gov):
We can list some directories:
http://sbir.gsfc.nasa.gov/sbirweb/search/
And we can see another XSS vulnerability:
http://sbir.gsfc.nasa.gov/sbirweb/search/searchResults.jsp?st=%22%3E%3Cscript%3Ealert(/XSS/)%3C/script%3E
ok, there is no more fun with NASA.
Why I'm posting this? I'm sure people at NASA already know it... Now I will googe a bit b4 posting. Yep! I've found http://hackingethics.wordpress.com/2010/02/15/xss-in-nasa-and-sql-injection-in-pentagon/ (and other links)
well, It seems I can post this... Someone wants to look for vulnerabilities at Pentagon? Spare time? Where are You when I need You?
Showing posts with label XSS. Show all posts
Showing posts with label XSS. Show all posts
Tuesday, March 2, 2010
Saturday, October 3, 2009
Brief: Firefox feature looks to foil XSS attacks
The Mozilla Foundation released on Wednesday a preview version of the Firefox browser that implements a technology to protect against scripting attacks.
The technology, known as Content Security Policy, allows Web sites to specify restrictions on how they handle scripts. Using CSP, a Web site can create a white list of sites from which the browser should accept scripts as well as mandate that the scripts are labeled as applications and are not obfuscated. A number of other features are also available, all aiming to prevent malicious scripts from executing in the context of the current site.
The preview does not implement the entire specification, and Mozilla is looking for testers and feedback, Brandon Sterne, security program manager for Mozilla stated in Wednesday's blog post.
"Please be aware that there are still a few rough spots," Sterne said. "The implementation is not quite complete so you may notice some small gaps between the preview builds and the spec."
Content Security Policy is based on recommendations made by Robert "rsnake" Hansen back in 2005. Most browsers treat all scripts the same, executing in the context of the current site, no matter where they originated. The defacto policy is what allowed untrusted ads on The New York Times site to recently serve up malicious software to visitors and allowed the Samy and other Web worms to spread. Content Security Policy allows sites to tell browsers which scripts should be allowed as well as additional restrictions on scripting.
Mozilla has created a demo page for security researchers who want to see content security policy in action.
Source: securityfocus.
Subscribe to:
Posts (Atom)
